Each online business application has their own set of assets that need to be protected in order for them to maintain privacy of information and maintain a positive reputation in the eye of clients or consumers. In the post, we will discuss the principles of security and privacy, define terms used to complete risk assessments, and finally review what it means to use a risk-based approach when setting up a security framework.
What are the Principles of Information Security and Privacy?
According to OWASP, information security is based upon three main foundations: confidentiality, integrity, and availability. OWASP is a foundation established as a nonprofit charitable organization. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
Confidentiality only allows access to information for those that are authorized. Integrity ensures that data has not been modified by an unauthorized individual. And finally, availability is that information and data are available for use at all times. Confidentiality, integrity, and availability should all be considered when building a security framework.
While privacy is a component of security, it is really its own principle when it comes to information security. OWASP defines privacy as, “the practice of protecting privacy by means of processes, communication, and technical measures as part of the software engineering design.”
In general, security is an essential element of privacy but security should also be considered separately when defining mitigation controls when considering cyber security threats to online business applications. That is because security is more than just a technology used to maintain privacy. Security is also an action and a method.
Using Risk to Outline Information Security and Privacy Needs
Before a risk can be mitigated, a company must first determine those assets that require protection. A list of assets include the following: credit card details, personal identifiable information, account information, financial information, password information, important company functions such as logging into the system, and other important processes.
Some questions that can be used to help identify if information or a process is an asset, a few helpful questions to run through include the following:
- What information at the company is confidential?
- What information cannot be compromised?
- What information, data, or process is proprietary or irreplaceable?
- What information, data, or process if lost would cause the most damage to the reputation to the company?
The items identified when going through these questions are considered company assets. Once a company has identified their assets, they can then consider risks and security controls to mitigate those risks.
There are additional resources that companies can use to help identify assets from a risk based approach listed below.
- ISO 27005: This International Standard provides guidelines on how companies should implement security risk management in an organization. Additionally, it supports general concepts within ISO 27001 and was created to help companies implement information security frameworks utilizing a risk based approach.
- Information Risk Assessment Methodology 2 (IRAM2): The Information Security Forum (ISF) is an independent, nonprofit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management. This framework was created to assist organizations in understanding the information they hold and the associated risks. The fundamentals of this framework are aimed to:
- Provide an approach that is simple yet effective
- Provide consistency in approach
- Introduce business objectives while identifying risks
- Provide an approach that covers a wide variety of risks
- Focus on those risks that considered High or Medium level
- Encourage feedback from stakeholders to better identify risks
Understanding How Risk Can Mitigate Threats to Online Business Applications
Security is not something that can be defined using a one size fits all approach. As mentioned above, when defining risk, a company must first understand the assets it must protect. Once a company has determined which assets are most important, they can start thinking about an information security framework that will be effective. Creating an effective information security framework starts with understanding known vulnerabilities, perceived threats, and adversaries.
Vulnerabilities are weaknesses in controls or technologies that currently exist that can be exploited by a threat. Threats come in many shapes and sizes, but a few examples include malware attacks, phishing, backdoors, and spying. Finally, threats are executed by adversaries. Adversaries are usually hackers who ping many systems at one time looking for some type of vulnerability that can be exploited. But depending on information could be specific individuals or in extreme cases, nation states.
Defining risk can be determined using the following equations: RISK = (Vulnerabilities x Threats x Consequences). Often, vulnerabilities and threats are not known during the time a company is completing a risk assessment.
A great method is to first look at assets that if exposed or stolen, would cause the most damage. Then think of the consequences if that information or process were to be exposed or stolen. This will help determine if risk should be considered high, medium, or low. The higher the risk, the more security controls should be in place. If risk is lower, only a limited amount of security controls may be required. Examples of security controls include implementing VPN, encryption, MFA, OpSec, HTTP Filters, locked screens, SSH, and SSL/TLS.
Walking Through a Sample Risk and Mitigation Steps
We will now walk through an example. In this scenario the asset is a laptop with PII. The threat is that the laptop is stolen and when the adversary or person who stole the laptops goes to open the computer, the information is available in plain text. The consequence of this is that the reputation of the company could be tarnished and its possible that a client’s identity could be compromised.
Considering this example, the risk of this would be considered medium or high depending on how often laptops are taken outside of the workplace. To combat these risks, the company should implement password protection to enter the computer, a screen lock out time, and finally full disk encryption.
Implementing these controls would significantly decrease the risk that if stolen, client information would be compromised. As each risk is identified, a similar dissection of threats, consequences, and mitigating security controls should be completed.
Summary – Considering Risk to Mitigate Cyber Security Threats in Business
To proactively combat against threats and adversaries, companies must take an active role in identifying those risks that could have a devastating impact on operating a successful business. That is why a number standards and frameworks are moving to a risk based approach in identifying assets that require protection.
The ultimate goal by implementing a risk based approach is to execute a number is security controls that mitigate risk to an acceptable level and give clients, regulators, and audits assurance that information in the hands of third parties are safe within reason.
For more information check out some other Linford & Company posts about using risk to mitigate cyber security threats.
- Insider Threats: The #1 Cyber Security Risk to an Organization
- Can You Assess & Manage Your Organizational Risk?
- Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (SOC for Cybersecurity)
- Information Security Risk Management Tips
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.